Yesterday’s global WannaCry Ransomware attack made it’s authors a grand total of $16800, a total of 46 victims paying up the required $300 for unencrypting their data.
Transactions can be monitored via the Bitcoin accounts that hackers wanted payments sent to. There were three bitcoin accounts associated with the hack:
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
The attack was accidentally stopped in its track when a Malware Analyst team (@MalwareTechBlog) discovered the killswitch domain, which the malware periodically looked for via a http get command, and if found forced the malware into hibernation mode. On discovery of the domains the analyst registered the domains, sinkholing it and essentially shutting down the infection.
The original attack vectors seem to be emails with links to a dropper that downloaded the Shadow Brokers, NSA leaked DOUBLEPULSAR framework, which opens a backdoor on the machine. Once the backdoor was in place the WannaCry ransomware would connect to the back door to spread and encrypt the contents of each machine.
The backdoor itself would spread via the exploitation of the SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. The attackers used ETERNALBLUE, which was part of the NSA leaked framework to compromise this vulnerability.
Patching the system would have stopped the spread, good email behaviour would have stopped the initial infection, and if you had/have the SMB ports 139 or 445 assessable to the internet you deserve to be infected. You can check if you have these ports open by going here : http://canyouseeme.org/
While we are talking about patching, here is a suggestion, turn on Automatic Updates on your Windows Servers. I know, I know, not recommended, etc etc, might break out systems etc etc. While that might be true on servers where you have legacy or custom applications it is VERY unlikely on standard desktops and majority of your servers. Identify the low risk servers, like your file servers, domain controllers, DNS servers, etc etc and turn on automatic updates.
We are now at the time of our history where cyber threats are a bigger risk and significantly more likely to occur than a bad patch from a vendor, which would stop standard applications from working as expected. Let’s change how we do patching, let’s be more selective about where we don’t patch by default, make not patching automatically the exception, not the norm.
German Train Station Terminals Infected:
